Interfederation

[Scott Koranda <>]

Hi,

> On Mon, Feb 25, 2013 at 7:49 AM, Scott Koranda 
> <>
>  wrote:
> >>
> >> It's not clear what value InCommon Operations can add to a custom
> >> metadata aggregate for LIGO.
> >
> > This exercise is not intended to create anything custom for
> > LIGO.
> 
> Every InCommon entity that wants to interfederate needs a custom
> aggregate (in effect).

Sorry, I don't understand. You prepare a single InCommon
metadata aggregate now for people to consume at

http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

Why could there not be a second one which is what InCommon
offers to its members that need to federate with
international partners?

I don't see why that is required to be a custom aggregate for
each InCommon entity, in much the same way that your current
feed is certainly not customized for each InCommon entity.

> 
> > If I was only interested in furthering LIGO's federation
> > I would just join the UK federation and be done with it (along
> > with about 10 other federations around the world).
> 
> Then you would have other problems, the most basic problem being how
> to manage a dozen copies of your metadata.

Right. So that is why I would like to rely on the InCommon
expertise to negotiate, vet, and then produce a metadata feed
that I can consume that includes international partners.

I think this is the model the UK Access Management Federation
is purusing for its members. See

http://www.ukfederation.org.uk/content/Documents/InterfederationTrialFAQ

I ask Ian to correct me if I am wrong.

> 
> > What I would like is for LIGO to be a use case that helps
> > drive international interfederation between InCommon and other
> > federations.
> 
> I don't believe there is any such thing. Federation is between an IdP
> and an SP. Interfederation is between an IdP and an SP in different
> federations.

I would like InCommon to help me as an InCommon member to
federate (small 'f') with international partners.

Whatever words you wish to apply to that model are fine with
me--I just don't want to have to go out and join each
federation individually. I would like InCommon to negotiate
with other federations on my behalf so that my InCommon
entities become known to the other federations and their
members and their entities become known to me in a way that is
sane.

> 
> InCommon Operations doesn't get in the middle of the relationship
> between an IdP and an SP. 

Clearly that is not the case since I had to jump through a
number of hoops to join InCommon and then have my entities
registered as R&S SPs.

You are also working quite hard to provide levels of assurance
for vetted IdPs.

Perhaps I have misunderstood the role of InCommon Operations
and am confusing the issue unecessarily.

I do not expect InCommon Operations, for example, to be
calling up SPs in the UK to somehow vet them.

I am just asking that "InCommon" negotiate a "sane" exchange
of metadata between itself and some international partners and
make available an aggregate metadata feed based on those sane
exchanges.

> I don't think we (Ops) want to change that.
> 
> >> and
> >> there may be enough benefit in that to warrant a centralized service
> >> (there often is) but certainly LIGO can deploy a metadata aggregator
> >> and get the ball rolling without assistance from Ops.
> >
> > Yes, I think that is what has been done with Stephen's help.
> > :-)
> 
> Well, no, Stephen's metadata aggregator represents an untrusted 3rd
> party. There is no basis to trust his signing key, so LIGO needs to
> own this operation (or at least that's the way I see it).

As a stepping stone, yes.

I am hoping, and I think Stephen has implied, that this can
become an official InCommon service at some point.

> > I would like to see InCommon Ops begin to think about how to
> > evolve it so it can become and InCommon service more generally
> > useful than for just LIGO.
> 
> I have, and I hinted about such a service in my previous message.
> 
> > I think it will be more than useful if InCommon Ops can put
> > together an aggregate that has some level of vetting, probably
> > determined by a mutual negotiation between InCommon and the UK
> > federation (and other federations eventually), and then let
> > the individual InCommon entities decided which other entities
> > to trust, just as can be done now with the standard InCommon
> > metadata feed.
> 
> That's essentially equivalent to what I described earlier except that
> the order of operations is different. First you tell me what other
> entities you want to trust and then I will securely assemble the
> corresponding entity descriptors into an aggregate that you can
> consume. Does that meet your needs?

I think so, though I don't want to have to go out and discover
entity IDs on my own.

I want my internal conversation to go somewhat like this:

- I have a user at Cardiff that needs to get to my SP
- I need to have my SP interoperate with the Cardiff IdP
- The Cardiff IdP is part of the UK federation
- InCommon has an exchange agreement with the UK federation
- I can consume an InCommon metadata aggregate that has the Cardiff IdP
- The Cardiff IdP can consume a UK aggregate that has my SP
- I just need to make a simple configuration change on my SP
  to consume that new feed

Ideally this can all happen without me having to contact you,
Ian Young, or even the Cardiff IdP operator. In the same way
that since my SP is in InCommon I don't have to contact OSU to
have their IdP recognize my SP. I know it will
take a while to get there but that is where I would like to
get.

> 
> > In short, I am not asking InCommon Ops to make all my trust
> > decisions for me. I am asking InCommon Ops to manage a
> > "platform" that makes it easy for me as an InCommon member to
> > manage trust relationships with international partners.
> 
> I think we can do that but the implementation I have in mind is
> different than the implementation you're thinking of. In the end, we
> arrive at the same thing so I don't think the implementation matters.

I think the process matters very much for the consuming
entities. 

> (Well, it actually does matter to me since the implementation I have
> in mind precludes the need for InC Ops to make a trust decision on
> behalf of an InCommon entity.)
> 

I want InCommon to make some trust decisions. I will rely on
the experts to get it right by my naive ideas are:

- I want to know InCommon and the UK have had some type of
  formal discussion.
- I want to know there is a document (MOU?) that explains the
  agreement between the two federations and where I can read
  that document.
- I want to know that the entities that the UK "passes along"
  to InCommon and that InCommon makes available as a feed to
  me are entities that are in good standing in the UK
  federation.
- If InCommon and the UK can agree on categories like R&S and
  what they mean I want to know if entities in the UK are part
  of those categories.
- If InCommon and the UK can agree on LOA and what they mean I
  want to know if entities in the UK are part of a particular
  LOA.

Cheers,

Scott K